Automatically chroot'ing users in ISPConfig 2

Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing.

Background info:

I know that there are several threads on chroot'ing users with ISPConfig, but I found them inconsistent. While some people are probably successful in setting this up, some clearly fail (links below). I hope to get some clarification here.

I would like to thank Falko, Til and Co. for the great "Perfect Server" and other manuals. However, arguably, it is a security flaw that the manuals explain how to set up FTP. Many users (including myself up to a while ago) underestimate this security issue. If you could make setting up chroot'ed SFTP an integral part of your manuals and make non-local FTP access setup optional it would be awesome going forwards. In any case - thanks for your time.

System:

Ubuntu 10.04.4 LTS
configured as explained here. It's a cloud-box, so I started in the middle of step 7.

ISPConfig Version: 2.2.40

Aiming to set up chroot'ed users with ISPConfig I looked at a few sources:

Essentially, [1] and [2] say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although [1] says that you need to download and build a modified server, that article is quite old, and from [2] it seems that these days it is sufficient to install OpenSSH (also hinted on here).

From [3] and [4] you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig.

I did all of the above, but things do not work.
I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed.

I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in [2]? If so, how should they look like to interop well with ISPConfig?

Diagnostics:

Here are some snippets from my system config/diagnostics that may be relevant: